I'm down to my last error running Splunk Add-on Builder pre-certification test for my app:
Error message: Invalid key in stanza [rapid_response_action] in /opt/splunk/etc/apps/TA-rapidresponse/default/alert_actions.conf, line 16: param._cam (value: { "category": ["Custom Alert Response","Composed Response App"], "task": ["respond","remediate"], "subject": ["system.resources"], "technology": [{"vendor": "Optensity", "product": "rapidresponse", "version": "1.0"}], "supports_adhoc": true }).
My alert_actions.conf is:
[rapid_response_action]
param.description =
payload_format = json
param.summary =
param.recoveryAppCoordinate =
label = non-adaptivew rapid response action
icon_path = alert_rapid_response_action.png
is_custom = 1
param._cam = {\
"category": ["Custom Alert Response","Composed Response App"],\
"task": ["respond","remediate"],\
"subject": ["system.resources"],\
"technology": [{"vendor": "Optensity", "product": "rapidresponse", "version": "1.0"}],\
"supports_adhoc": true\
}
I ran 'bin/splunk cmd btool --app=TA-rapidresponse alert_actions list' , which didn't report any errors.
I'm running Splunk Enterprise 6.5.1 build f74036626f0c, with Splunk Add-on Builder App Version 2.0.0 App Build 15.
What am I missing? Please let me know.
Thank You!
Frank
One year old already...
Well I think I figured it out. You need to modify
$SPLUNK_HOME/etc/apps/YOUR_APP/README/alert_actions.conf.spec
by adding this
param._cam=
missing or malformed messages.conf stanza for LM LICENSE - how to resolve this issue
Hey @rajibsaha2000, Since this post is from January you should create a new Answer post w/ your question. If this post is related you can include a link to reference it. Happy Splunking!
It's really weird. It's saying something is wrong with that key. Unfortunately it doesn't strike me as wrong or malformed. And I haven't used the add on builder either. I'll convert to comments and upvote to bring more attention to your cause though!
The examples provided at the path below both show "subject" as an array:
$ cat SPLUNK_HOME/etc/apps/Splunk_SA_CIM/README/alert_actions.conf.example
[my_action]
...
param._cam = {\
"category": ["Information Gathering"],\
"task": ["create"],\
"subject": ["network.capture"],\
"technology": [{"vendor": "Splunk", "product": "Splunk App for Stream"}],\
"supports_adhoc": true,\
"drilldown_uri": "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"\
}
[my_action2]
...
-
param._cam = {\
"category": ["Information Gathering"],\
"task": ["scan"],\
"subject": ["process.reputation-service"],\
"technology": [{"vendor": "myvendor", "product": "myproduct", "version": "1.0"}],\
"supports_adhoc": true,\
"drilldown_uri": "../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"\
}
I did remove the backslashes and line breaks to make it all one line as shown below, and pre-validation still reported the same invalid key error. Is there something about the key param._cam that's invalid in this situation?
[rapid_response_action]
param.description =
payload_format = json
param.summary =
param.recoveryAppCoordinate =
label = non-adaptivew rapid response action
icon_path = alert_rapid_response_action.png
is_custom = 1
param._cam = {"category":["Custom Alert Response","Composed Response App"],"task":["respond","remediate"],"subject":["system.
resources"],"technology":[{"vendor": "Optensity", "product": "rapidresponse", "version": "1.0"}],"supports_adhoc":true}
Appreciate the help!
Frank
"subject": ["system.resources"],\
That doesn't look like it should be in an array.., would remove the square braces.
Would also try to make it all one line by removing the line breaks and the backslashes.